CVE-2019-15539

Name of the Vulnerable Software and Affected Versions MantisBT versions prior to 2.21.3

Description The issue affects the Project Documentation feature, specifically the proj doc edit page.php file, allowing for a stored cross-site scripting (XSS) attack. This occurs when an attachment with a specially crafted filename is uploaded. The arbitrary code is executed when the document's page is edited, provided the Content Security Policy (CSP) settings permit it.

Recommendations For versions prior to 2.21.3, update to version 2.21.3 or later to resolve the issue. As a temporary workaround, consider restricting the upload of attachments to trusted users only, and avoid editing documents that may contain malicious filenames until the update is applied.